[g_p]

Good point - perhaps didn't make the limitations clear enough though - this would only help if the early payload gets delivered through a request made to a remote server (which inherently goes through default system DNS).

That's a fairly common compromise model though in my view - a message might contain a URL, and your phone might locally do a fetch of it to prepare a pretty preview, and that might try to exploit some weakness in the browser engine or whatever.

Given this was delivered via iMessage you're right - once they have code execution, the attacker can evade your DNS. If they can't get enough code in through their initial method to get their own DNS going, they might send a dropper which then pulls more code in from elsewhere, and that may give you an IOC to detect from that first query. If they can front their content on a popular domain though, this won't help.

Definitely favour network level protections before doing this, but if you just want the ability to get a view of your own DNS traffic from your device when it moves across WiFi and mobile data, this will give you a starting point.